On Mon, 2018-02-26 at 10:26 -0600, mcatanz...@gnome.org wrote: > On Mon, Feb 26, 2018 at 9:37 AM, Nikos Mavrogiannopoulos > <n...@redhat.com> wrote: > > regarding the strong crypto change in Fedora28 [0], we have > > identified > > few (usually internal) sites which break under firefox or other > > tools. > > The main reason for this breakage is that these sites only support > > Diffie-Hellman with 1024-bit parameters which are considered too > > weak > > by this change. > > Setting up a unified distro-wide crypto policy was a Good Thing, but > we > have to use it responsibly. Unfortunately, I don't think it's > practical > for Fedora to increase the minimum required Diffie-Hellman parameter > size to 2048 until either Firefox or Chrome has done so first. Users > are just going to object that they can't use Fedora to access > various > important websites, and those important websites will never be fixed > so > long as they're only broken for Fedora users. We should consider > ourselves at the mercy of the major browser vendors to implement new > restrictions before we do. It's a shame that major browsers are so > unwilling to break websites, even when it's clearly important for > security, but that's the world we live in. :/ > > Alternatively, if you want to strengthen the system crypto policy, > then > it should not apply to web browsers at all. Or web browsers should > automatically use the weak policy. (We'd need the weak policy in > glib-networking, too.)
I agree we need to have the DEFAULT policy be applicable to all applications, browsers and not (otherwise we end up in reports like curl and wget don't work while firefox does). It is important though to gather all data we can from the user reports before reverting, in order to better understand why that doesn't work, which apps are affected and better predict when we can make it work. From the current reports, I believe we have two classes of systems which cause a problem. (1) systems with implementations which don't support elliptic curves (that may be rhel5, centos5), and the administrator set up 1024-bit DH parameters, (2) cisco VPN servers which are configured to use 1024-bit DH parameters. regards, Nikos _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
